I am trying to learn about buffer overflows from this book I am reading called "Hacking: The Art of Exploitation" by Jon Erickson. Essentially I am passing more bytes in my command line argument than the char array can store causing a buffer overflow. My objective is to write the exact bytes, 0xdeadbeef, into the value variable. This code works on my Linux VM but not on my Windows machine... why is this?
overflow_example.c:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]){
int value = 5;
char buffer_one[8], buffer_two[8];
strcpy(buffer_one, "one");
strcpy(buffer_two, "two");
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[BEFORE] value is at %p and is %d (0x%08x)\n",&value, value, value);
printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]);
printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);
return 0;
}
On my Windows x86_64 machine I am only able to write 0x0000beef to the value variable and whenever I try to write something like 0xdeadbeef I get a value that I don't really understand. I calculated the distance between buffer_two(0061FF0C) and value(0061FF1C) to be 16 bytes hence why I fill the first 16 bytes with the char A.
beef example from Windows 10 x86_64 machine
$ ./overflow_example.exe `perl -e 'print "\x41"x16 . "\xEF\xBE"'`
[BEFORE] buffer_two is at 0061FF0C and contains 'two'
[BEFORE] buffer_one is at 0061FF14 and contains 'one'
[BEFORE] value is at 0061FF1C and is 5 (0x00000005)
[STRCPY] copying 18 bytes into buffer_two
[AFTER] buffer_two is at 0061FF0C and contains 'AAAAAAAAAAAAAAAA∩╛'
[AFTER] buffer_one is at 0061FF14 and contains 'AAAAAAAA∩╛'
[AFTER] value is at 0061FF1C and is 48879 (0x0000beef)
deadbeef example from Windows 10 x86_64 machine
$ ./overflow_example.exe `perl -e 'print "\x41"x16 . "\xEF\xBE\xAD\xDE"'`
[BEFORE] buffer_two is at 0061FF0C and contains 'two'
[BEFORE] buffer_one is at 0061FF14 and contains 'one'
[BEFORE] value is at 0061FF1C and is 5 (0x00000005)
[STRCPY] copying 18 bytes into buffer_two
[AFTER] buffer_two is at 0061FF0C and contains 'AAAAAAAAAAAAAAAA?▐'
[AFTER] buffer_one is at 0061FF14 and contains 'AAAAAAAA?▐'
[AFTER] value is at 0061FF1C and is 56895 (0x0000de3f)
However when I try to run the same code on my KALI VM it seems to work. Why is this the case?
QEMU KALI-Linux VM on same machine
$ ./overflow_example.exe `perl -e 'print "\x41"x16 . "\xEF\xBE\xAD\xDE"'`
[BEFORE] buffer_two is at 0x7ffedc85505c and contains 'two'
[BEFORE] buffer_one is at 0x7ffedc855064 and contains 'one'
[BEFORE] value is at 7ffedc85506c and is 5 (0x00000005)
[STRCPY] copying 18 bytes into buffer_two
[AFTER] buffer_two is at 0x7ffedc85505c and contains 'AAAAAAAAAAAAAAAA?▐'
[AFTER] buffer_one is at 0x7ffedc855064 and contains 'AAAAAAAA?▐'
[AFTER] value is at 0x7ffedc85506c and is -559038737 (0xdeadbeef)